Facebook turns its users into anti-phishing detectives

This is Facebook's actual login page, but phishing attackers have gotten good at duping people into entering their credentials into spoofed pages that look identical to this one.

With nearly 1 billion users, Facebook is a prime target for cyberattackers looking to steal usernames and passwords.

Simple attacks known as "phishing" are surprisingly effective at fooling users into handing over their login credentials. By creating malicious Facebook messages or emails made to look like they're coming from Facebook itself, cyberthieves lead unsuspecting users to log in to malicious sites posing as legitimate ones.

Facebook(FB) has gotten pretty good at rooting out phishing attacks within its own virtual walls, but it hasn't been able to do anything about attacks that land in its users' e-mail inboxes.

That's why the social network has launched phish@fb.com, an email address that users can forward suspected phishing messages to. Facebook will analyze the message and determine where and from whom the malicious e-mail came.

"We have a pretty robust team here to deal with bad actors," says Mark Hammel, a Facebook engineer and malware researcher. "This will give us extra visibility into people's e-mail inboxes, where there wasn't a good feedback mechanism in place."

After a user sends a suspected phishing e-mail to Facebook, the company's e-crime team will note the URL of the spoofed log-in site the attackers were trying to send the user to. They'll then send that URL to third-parties like browser makers and search engines, in an attempt to blacklist the site. Facebook will also work with Internet providers and hosts to get the site removed from the Web entirely.

It's like a game of Whac-a-Mole. Phishers rarely keep their sites up for more than a few days, switching URLs to avoid blacklists and takedowns. That's why Facebook works with outside parties like the Anti-Phishing Working Group, a global consortium of technology companies and law enforcement agencies, to track down serial bad actors.

Once Facebook knows who is behind an attack, it will send out cease-and-desist orders or file criminal complaints.

Facebook said it's hard to determine how many attacks its users are being hit with. It hopes the new e-mail address will help it figure out the scope of the problem.

Nearly half of clicked-on phishing attempts targeted social networks such as Facebook, according to Microsoft's report.

Facebook is far from the only Internet company working on a phishing solution. Google(GOOG) has a phishing form users can fill out to report malicious websites. Ebay(EBAY) encourages customers to email spoof@ebay.com when they suspect a phishing attack. Twitter controls an @spam handle for reporting accounts that are set up for phishing.